[Snort-users] Performance again
edin.dizdarevic at ...7509...
Tue Dec 23 07:56:02 EST 2003
The first question is anyway, what is actually ment by the statistics?
It would be interessting to know, in which stages of the process a
packet drop may occur and what is ment by the output/perfmon:
1. During the capture (and copy from the kernel to the user space)
2. During the preprocessing/reassembling/decoding
3. During the pattern matching/alerting
4. During the output
AFAIK the statistics is only telling to us, what the libpcap told
Snort (1.)? So how would more frequent perfmon output provide more
information? So I have to take a look at the complete situation in order
to guess(!), which task took so long, that Snort had to give it up and
begin processing the new input.
> Your method for coming to your conclusion is invalid. You can not
> ignore what happens before snort drops packets, as that is probably
> what is causing the drop. If you need finer grained information, set
> perfmonitor to dump its data more frequently.
More information about the Snort-users